The present invention relates generally to computer system security. More specifically, the present invention is related to a system and method for protecting the password of a user when using a public computer terminal.
It is often necessary for a computer system to allow a user to authenticate to a web-based application, such as Internet-based e-mail, from a public-access terminal or from some other public computer on which the user has limited or no control regarding computer security. However, it is becoming increasingly risky, from a computer security perspective, to merely require that the user enter a secret password at the public-access terminal. In particular, when the user is attempting to access confidential information from the computer system, conventional password protection may not be adequate.
The inadequacy of password protection may result from, for example, the possibility that an attacker could beforehand have modified the function of the public-access terminal with a spyware program. Such a program, which may include an off-the-shelf keystroke-recording program placed on the terminal, can operate to capture information entered by an authorized user. If the keystroke recording program records the user's password, for example, the attacker may use the password to subsequently gain access to the same information that the authorized user is permitted to access.
It is known in the relevant art to provide a virtual keyboard 11 on a computer display 10, as shown in FIG. 1, to guard against such keystroke-recording programs. During operation, the user enters a password by moving a mouse cursor 13 to ‘click’ on the appropriate sequence of virtual keys on the virtual keyboard, where the virtual keys are arranged in a conventional “QWERTY” format as shown. However, this method of security can be thwarted by a simple key logging program that records the cursor movements and clicks of the mouse, and then derives virtual keyboard key positions from the recorded cursor movements. Moreover, an attacker may employ the more sophisticated approach of using optical character recognition (OCR) software to identify, capture, and record the virtual keys being “struck” on the virtual keyboard.
From the above, it is clear that there is a need for a reliable system and method for providing secure access to a computing system from either a user's workstation or from a public terminal by avoiding key logging and OCR capture when entering a password.